[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments)

To: Ambarish Malpani <ambarish@xxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments)
From: Paul Hoffman / IMC <phoffman@xxxxxxx>
Date: Mon, 23 Apr 2001 16:20:54 -0700
In-reply-to: <>
References: <>

At 1:02 PM -0700 4/23/01, Ambarish Malpani wrote:

    Even if you are requiring clients to pull the CRLs from your
directory, you still need to have enough bandwidth to and replication
of the directory to support all the clients who need to pull the
new CRL every time it is issued.

The alternative is that some users would have a different (that is, better) list of what is in the CRL than others, and those others would have no way of knowing that their list of revoked certificates is incomplete. That seems pretty awful to me. To be a bit crass, if you don't have the bandwidth, force your users use delta CRLs, or don't be a CA.

If for some reason the wording in son-of-2459 goes towards not requiring a new CRL being issued, there also needs to be a fairly stern warning both in the delta CRL section and in the security considerations section saying that some users will have different views of what certificates have been revoked, and that they won't know it.

--Paul Hoffman, Director
--Internet Mail Consortium

References:
- RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txtcomments)
  - From: Ambarish Malpani

Prev by Date: RE: Dedicated CRL signing keys
Next by Date: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments)
Previous by thread: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txtcomments)
Next by thread: A Laptop for 25 US Dollars
Index(es):
- Date
- Thread